Allow edit only by administrator

[wixaw]

Allow edit ldap configuration only administrator user

[heiglandreas]

Thank you for your contribution! But could you tell me a bit more why you need this change?

Currently the AuthLDAP-Options should only be available for MultiSite-Administrators or for people with the manage_options-privilege (which by default are administrators of a single-site instance) according to https://codex.wordpress.org/Roles_and_Capabilities. So the change you are proposing shouldn't be necessary at all from what I see.

Or did you encounter something different?

[wixaw]

Hello
I see what you mean
It is true that we have a particular use with roles that "co-administration"
they are administrative roles but do not have all the rights
I wanted to use remove_submenu to remove the link "options-general.php?page=authLdap.php" but it does not work.
The purpose being is that the different users to whom we offer the service does not access the LDAP password.
Can you do that, or should I maintain a fork of your authldap plugin?

[heiglandreas]

I'm pretty sure we can find a solution that fits all requirements. And being able to secure the LDAP-Password while also allowing users to help administrating the site is a great fit IMO. So I don't think there is a need to maintain your own fork ;-)

The question is: Shall these co-administrators have access to the LDAP preferences at all? If not, we could couple the access right to something else than manage_options. And make that configurable. So for the initial setup you'd still need manage_options-capabilities but you could then modify that. Would that be a possibility?

[wixaw]

Today, I allowed "manage_options" because I need users to be able to edit Settings
(General,Writing,Reading,Discussion,...)
For you to understand, I am in a research laboratory and I have created a site factory so that each researcher can create and manage his site flexibly
Here are for example the capabilities that I allow them:
$wp_cli cap add co-admin switch_themes edit_themes activate_plugins edit_plugins publish_pages delete_pages delete_others_pages delete_published_pages delete_posts delete_others_posts delete_published_posts delete_private_posts edit_private_posts read_private_posts delete_private_pages edit_private_pages read_private_pages delete_users create_users update_plugins delete_plugins install_plugins update_themes install_themes update_core remove_users promote_users edit_theme_options delete_themes manage_options list_users
Users should not even know the existence of this page, authentication must be transparent to them

Thanks a lot for your help

[heiglandreas]

In that case: Have you considered creating a multisite-installation? In a multisite-installation only the multisite-admin can see and edit the LDAP-configuration ;-)

[wixaw]

yes I thought of multisite, but we have a bad experience with drupal and joomla, I preferred to make each independent site manage by WPCLI
You think it's a bad solution? Today I have about twenty sites but I will have about a hundred next year

[heiglandreas]

That means updating 100sites... That is a lot of scripting you'll have to do there ;-)

I'd actually use multisite for that. You'd be able to have a.example.com and b.example.com and c.example.com and so on but all on one installation. Whether that is manageable is a different question. When all of these are sits with 5 pages and 10 visits per hour that's pssible.If al of them arehigh-trafick sites then your approach is easier as you can move them easily from one soerver to another one...

But from a managing POV the multisite (network as it is called now) is easier.

what where the negative experienes with joomla and drupal?

[heiglandreas]

Apart from that I think I'll add a new capability when the plugin is activated so you'll be able to remove that from your users role.

[wixaw]

With just a script and a for loop, everything updates.
With the other CMS, this is poorly integrated and the updates have gone wrong, it looks a lot like DIY
Thank you very much for your modification, I look forward to it

Cordially
William